Some data in the instruction stream is potentially uninitialized - fix this.

Change the OperandTypes constructor so that uninitialized memory in the int
is zeroed, and modify the Instruction constructor taking an Opcode so that
if !HAVE(COMPUTED_GOTO) (i.e. when Opcode is an enum, and is potentially only
a byte) it zeros the Instruction first before writing the opcode.

Fix broken tokenizer regression test that reflected a lifetime bug
in the document.write optimization. The test failure was trivial to
reproduce in COLLECT_ON_EVERY_ALLOCATION mode.

bindings/js/JSHTMLDocumentCustom.cpp:
(WebCore::documentWrite): Convert strings to String rather than passing
the pointer and length to SegmentedString. The optimization is thus
mostly gone. However, there are two ways to bring it back: 1) Apply
the patch that makes UString and String share the same buffers.
2) Add a UString feature to SegmentedString; simple to do but might
risk slowing down normal document parsing.

bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate): Set the isNumericCompareFunction bit
after compiling.

parser/Nodes.cpp:
(JSC::FunctionBodyNode::emitBytecode): Fixed a bug that caused us to
codegen an extra return at the end of all functions (eek!), since this
made it harder / weirder to detect the numeric comparison pattern in
bytecode.

runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSort): Use the isNumericCompareFunction bit to do
a faster sort if we can.

​https://bugs.webkit.org/show_bug.cgi?id=23952
Add Document::write overload which takes a SegmentedString since this
is what the tokenizer expects anyway. Modified JSHTMLDocument so it once
again calls Document::write instead of injecting the string directly into
the tokenizer. This ensures that all document.write's are funneled through
one method again, but should still be just as fast for JSHTMLDocumentCustom.

Remove updateWidgetPosition on RenderObject. Change RenderView's set of widgets
to have a tighter type: RenderWidget instead of RenderObject. Devirtualize
updateWidgetPosition, since all RenderWidgets (except for applets) are now
RenderParts also.

Get rid of isEdited/setEdited on RenderObject. Devirtualize isEdited/setEdited on RenderTextControl.
Callers were already asking if the renderer was a text field (or a text area), so it was especially
pointless to waste a second virtual function call after making one just to determine the object type.

dom/Document.cpp:
(WebCore::Document::prepareToWrite): Added. Refactored the initialization part
of write into a separate function for use in the JavaScript binding.
(WebCore::Document::write): Changed to call prepareToWrite.

runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIndexOf): Added a fast path for cases where the second
argument is either missing or an integer.
(JSC::stringProtoFuncBig): Use jsNontrivialString since the string is guaranteed
to be 2 or more characters long.
(JSC::stringProtoFuncSmall): Ditto.
(JSC::stringProtoFuncBlink): Ditto.
(JSC::stringProtoFuncBold): Ditto.
(JSC::stringProtoFuncItalics): Ditto.
(JSC::stringProtoFuncStrike): Ditto.
(JSC::stringProtoFuncSub): Ditto.
(JSC::stringProtoFuncSup): Ditto.
(JSC::stringProtoFuncFontcolor): Ditto.
(JSC::stringProtoFuncFontsize): Make the fast path Sam recently added even faster
by avoiding all but the minimum memory allocation.
(JSC::stringProtoFuncAnchor): Use jsNontrivialString.
(JSC::stringProtoFuncLink): Added a fast path.

​https://bugs.webkit.org/show_bug.cgi?id=23738
Expose the url elements target frame string. This is the sister function
to the existing linkTargetFrame which returns the QWebFrame*. When the
linkTargetFrame is 0 it is useful to know what the target was to be.

The focusWidget in the input context is not reset properly.
The QApplication::setFocusWidget() wont reset the IC if the reason is
PopupFocusReason, this is not ideal. For the time being we are going
to do this from webkit itself.

Math.random calls WTF::randomNumber which is implemented as
the secure rand_s on windows. Unfortunately rand_s is an order
of magnitude slower than arc4random. For this reason I've
added "weakRandomNumber" for use by JavaScript's Math Object.
In the long term we should look at using our own secure PRNG
in place of the system, but this will do for now.

30% win on SunSpider on Windows, resolving most of the remaining
disparity vs. Mac.

Remove (/reduce) use of hard-wired register names from the JIT.
Currently there is no abstraction of registers used in the JIT,
which has a number of negative consequences. Hard-wiring x86
register names makes the JIT less portable to other platforms,
and prevents us from performing dynamic register allocation to
attempt to maintain more temporary values in machine registers.
(The latter will be more important on x86-64, where we have more
registers to make use of).

Also, remove MacroAssembler::mod32. This was not providing a
useful abstraction, and was not in keeping with the rest of the
MacroAssembler interface, in having specific register requirements.

When throwing an exception within an eval argument string, the dst parameter was
modified in the functions below and the return value for eval was altered. Changed
the emitNode call in JSC::ThrowNode::emitBytecode to use a temporary register
to store its results instead of dst. The JSC::FunctionCallResolveNode::emitBytecode
would load the function within the dst registry, also altering the result returned
by eval. Replaced it with another temporary.

Get rid of containingBlockHeight(), since it had only one implementation (despite being virtual) and just returned
containingBlock()->availableHeight(). The latter reads better anyway. Rename containingBlockWidth() to
containingBlockWidthForContent() and move it to RenderBoxModelObject.

Rename getOverflowClipRect and getClipRect to overflowClipRect and clipRect. Move them to RenderBox, since these methods
only apply to boxes. Devirtualize clipRect, since it was not subclassed. Move controlClip stuff to RenderBox also.

Release build fix when VIDEO is disabled (it should also
help those with WORKERS or XSLT disabled).

bindings/js/JSDOMWindowBase.cpp:
(jsDOMWindowBaseAudio): Added an UNUSED_PARAM for exec and slot when
VIDEO is disabled.
(jsDOMWindowBaseWorker): Ditto for WORKERS.
(jsDOMWindowBaseXSLTProcessor): Ditto for XSLT.

​https://bugs.webkit.org/show_bug.cgi?id=23923
Implement mediaPlayerVolumeChanged so a media engine can report autonomous volume changes.
Supporting this requires that we know when we are processing a media engine callback so
we don't turn around and tell the media player to change the volume when it is reporting
a volume change.

wtf/RandomNumber.cpp:
(WTF::randomNumber): Make only one call to the random number generator
on platforms where the generator is cryptographically secure. The value
of randomness over and above cryptographically secure randomness is not
clear, and it caused some performance problems.

html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::load): selectMediaURL now also returns a MIME type, pass it to
MediaPlayer::load so it can choose the right media engine
(WebCore::HTMLMediaElement::selectMediaURL): renamed from pickMedia. use MIMETypeRegistry
functions to strip params from the url and extract the codecs parameter. call
MediaPlayer::supportsType to see if we can open the file since only a media engine can
answer questions about supported type+codecs.

(WebCore::MediaPlayerFactory::MediaPlayerFactory): New, factory constructor.
(WebCore::installedMediaEngines): New, returns vector of all installed engines.
(WebCore::addMediaEngine): New, add a media engine to the cache.
(WebCore::chooseBestEngineForTypeAndCodecs): New, return an engine that might support a MIME type.
(WebCore::MediaPlayer::MediaPlayer): create NULL media player so we have a default. Initialize m_currentMediaEngine.
(WebCore::MediaPlayer::~MediaPlayer): don't need to delete m_private, it is now an OwnPtr.
(WebCore::MediaPlayer::load): Take MIME type as well as url, since we need it to find the right

media engine. If no MIME type is provided, try to devine one from the url. Choose a media engine
based on the MIME type and codecs parameter.

(WebCore::MediaPlayer::currentTime): Remove excess white space.
(WebCore::MediaPlayer::supportsType): Take codecs param as well as MIME type. Return enum so we can
indicate "maybe" condition.
(WebCore::MediaPlayer::getSupportedTypes): Build up list of MIME types by consulting all engines.
(WebCore::MediaPlayer::isAvailable): return true if any media engine is installed.

Instead we now directly propage the QualifiedName inside the generated Factory.

Test: fast/dom/prefixed-image-tag.xhtml

dom/Document.cpp:
(WebCore::Document::createElement): Removed the setPrefix work-around
and replaced it with an ASSERT to catch mistakes inside the Factory code.
Remove the unneeded ExceptionCode argument.

NSHTMLReader tries to create a WebArchive from a random chunk of data. Previously, WebArchive creation would
fail and return nil and NSHTMLReader would try something else. When we changed the behavior to return an invalid
WebArchive object, things started getting weird.

WebView/WebArchive.mm:
(-[WebArchivePrivate setCoreArchive:]): Null check the pointer before calling ->deref()
(-[WebArchivePrivate dealloc]): Remove the ASSERT which is now invalid, and null check the pointer before ->deref().
(-[WebArchivePrivate finalize]): Ditto
(-[WebArchive initWithData:]): If the LegacyWebArchive cannot be created, return nil instead of an invalid object.

I have no idea why this broke. As far as I can tell the old code never should have worked in
the first place. Add code to handleWheelEvent that will find an enclosing renderer for a node
in order to attempt a wheel scroll.

Move the functions that paint borders, box shadows and border images into RenderBoxModelObject. drawBorder and drawBorderArc, because they are used
for outlines as well as borders, need to stay in RenderObject. Rename them to drawLineForBoxSide and drawArcForBoxSide in order to reflect their
more generic use. Rename the BorderSide struct to BoxSide, since the concept of "side" is just a rectangle concept and not a border concept.

Skipped list contained '$item', but no file of that name could be
found

Reviewed by John Sullivan.

Scripts/run-webkit-tests:
(top level): Pass the list name to processIgnoreTests so it can print
out a reasonable warning message.
(processIgnoreTests): Take a list name as a second parameter and use
it to display a better warning message. Also check for a "-disabled"
version of the test before warning about it not existing.

platform/win/fast/css/computed-style-without-renderer-expected.txt:
Copied the non-Mac results here, too, since on Windows we first check
for Mac-specific results before checking for cross-platform results.

02/11/09:

​https://bugs.webkit.org/show_bug.cgi?id=23705
Fix the UI freeze caused by Worker generating a flood of messages.
Measure time we spend in executing posted work items. If too much time is spent
without returning to the run loop, exit and reschedule.

wtf/MainThread.h:
Added initializeMainThreadPlatform() to initialize low-level mechanism for posting
work items from thread to thread. This removes #ifdefs for WIN and CHROMIUM from platform-independent code.

wtf/MainThread.cpp:
(WTF::initializeMainThread):
(WTF::dispatchFunctionsFromMainThread):
Instead of dispatching all work items in the queue, dispatch them one by one
and measure elapsed time. After a threshold, reschedule and quit.

(WTF::callOnMainThread):
(WTF::callOnMainThreadAndWait):
Only schedule dispatch if the queue was empty - to avoid many posted messages in the run loop queue.

wtf/mac/MainThreadMac.mm:
(WTF::scheduleDispatchFunctionsOnMainThread):
Use static instance of the mainThreadCaller instead of allocating and releasing it each time.
(WTF::initializeMainThreadPlatform):

DumpRenderTree/win/LayoutTestControllerWin.cpp:
(LayoutTestController::pauseAnimationAtTimeOnElementWithId):
(LayoutTestController::pauseTransitionAtTimeOnElementWithId):
(LayoutTestController::numberOfActiveAnimations):
Implemented these by calling through to IWebFramePrivate.

<rdar://problem/6570573> Some visit counts in History.plist have insanely high values, can roll over to negative

Remove the item from the date caches before registering the visit. Otherwise it might not be successfully removed
and when we add it back later it will exist in the list twice. This will cause the entry to be written out twice,
which would lead to doubling (or more!) the visit count on next launch when these multiple items are merged.

History/WebHistory.mm:
(-[WebHistoryPrivate visitedURL:withTitle:]): Swap the removeItemFromDateCaches and visitedWithTitle calls.
(-[WebHistoryPrivate addItem:discardDuplicate:]): Add a mode that allows the entry being added to be discarded
if an entry for the URL already exists. Use that mode when reading the History.plist so only the most
recent entry for a given URL will be used.
(-[WebHistoryPrivate addItems:]):
(-[WebHistoryPrivate loadHistoryGutsFromURL:savedItemsCount:collectDiscardedItemsInto:error:]):

<rdar://problem/6570573> Some visit counts in History.plist have insanely high values, can roll over to negative

Remove the item from the date caches before registering the visit. Otherwise it might not be successfully removed
and when we add it back later it will exist in the list twice. This will cause the entry to be written out twice,
which would lead to doubling (or more!) the visit count on next launch when these multiple items are merged.

WebHistory.cpp:
(WebHistory::loadHistoryGutsFromURL):
(WebHistory::addItems):
(WebHistory::addItem): Add a mode that allows the entry being added to be discarded if an entry for the URL already
exists. Use that mode when reading the History.plist so only the most recent entry for a given URL will be used.
(WebHistory::visitedURL): Swap the removeItemFromDateCaches and visitedWithTitle calls.

Eliminate createInlineBox and dirtyLineBoxes from RenderObject. These functions have been devirtualized.
The single call site now calls a helper function that just bit checks and casts before calling the correct
type. RenderBlock's dirtyLineBoxes function was dead code (caused by the RenderFlow deletion), so it has
just been removed.

Add a bit on RenderStyle that gets set when running accelerated
transitions of transform or opacity. These ensure that styles
compare as different during the transition, so that interruption
can be detected reliably.

Combine RenderObject::element() and RenderObject::node() into a single function.
node() now has the "anonymous bit" checking behavior of element() and will
return 0 for anonymous content. This patch switches all callers of element()
to node() and patches old callers of node() to deal with situations where they
did not expect node() to be 0. A bunch of node() calls were calling stuff on
Document that they clearly didn't intend, so overall this is a nice improvement.

loader/FrameLoader.cpp:
(WebCore::FrameLoader::commitProvisionalLoad): Rolled opened() into this method. This method was
the only caller and - in the future - will benefit from doing parts of opened()'s work differently.
(WebCore::FrameLoader::open): Split off per-frame logic into open(CachedFrame&) method.
(WebCore::FrameLoader::closeAndRemoveChild): Added. Do the non-tree related cleanup that
FrameTree::removeChild() used to do.
(WebCore::FrameLoader::detachFromParent): Call ::closeAndRemoveChild() instead.
(WebCore::FrameLoader::cachePageForHistoryItem): Perform the "can cache page" check here.

loader/FrameLoader.h:

page/FrameTree.cpp:
(WebCore::FrameTree::removeChild): Just remove the Frame from the tree. Closing it and other
cleanup is the responsibility of the FrameLoader.

page/FrameTree.h:
(WebCore::FrameTree::detachFromParent): Added to just clear a Frame's parent pointer

When opacity or transform change on an object which has a compositing layer,
avoid repainting the layer.

Added a new StyleDifference value, StyleDifferenceRecompositeLayer, which indicates
that the only thing styleChanged() has to do is to update composited properties of
the layer. RenderStyle::diff() now has an out param for a bitmask of "context sensitive"
properties, currently for opacity and transform. When one of these changes, we need
to see if we have a compositing layer before we decide whether to layout/repaint,
or just update the composited layer, via adjustStyleDifference().

WebView/WebHTMLView.mm:
(-[WebHTMLView _documentFragmentFromPasteboard:forType:inContext:subresources:]):
Ditto. The affected cases are all plain text ones - RTF, RTFD and HTML are assumed to be
precomposed already, and the conversion is performed outside WebKit for those anyway.

Move createAnonymousBlock() to RenderBlock. Since anonymous blocks are always parented to some other block,
we can move this function to RenderBlock. Fix a couple of call sites as a result of this restriction.

Those are the last auto-generation bits needed to have a working generated HTMLElementFactory:

Added a new option mapToTagName that enables a tag to use another's options and tagName (<image>
uses imgTag for example) and wired the code generation to be consistent with the current factory.

Disabled dashboard compatibility check for HTMLElementFactory as it would make at least one test case fail.

Pass the QualifiedName down to the Element constructor for shared constructors to make the generated code as
close as possible to the current one. We will pass the QualifiedName for all Element in a forthcoming patch.

dom/make_names.pl: Did all the above points and tweaked the code generation to match the current HTMLElementFactory
as closely as possible.

html/HTMLElementFactory.cpp:
(WebCore::quoteConstructor):

html/HTMLQuoteElement.cpp:
(WebCore::HTMLQuoteElement::HTMLQuoteElement): Moved setUsesBeforeAfterRules to HTMLQuoteElement' constructor because some
part of the code creates elements without using the HTMLElementFactory. Also added a FIXME as it is not the right place.

It's not clear how a huge negative visit count ended up in History.plist, but we can't
trust data read from disk so we can at least reset this to something sane. WebCore has
no guard against a visit count overflowing an int, but that seems very unlikely to have
caused this.

History/WebHistoryItem.mm:
(-[WebHistoryItem initFromDictionaryRepresentation:]):
If a negative visit count is in the dictionary, replace it with 1. If a negative daily or
weekly visit count is in the dictionary, replace it with 0.

<rdar://problem/6156755> onMouseOver events do not fire properly for cross frame drag and drop

Reviewed by Adele Peterson.

This problem was caused by incorrectly ignoring whether or not the
default behaviour of the mousedown event was suppressed. If a
mousedown handler in a frame prevents default handling then the
subsequent mousemove events fired for the drag should not be
captured by that frame, should the mouse move out of its bounds.

Move enclosingCompositingLayer() from RenderObject to RenderLayer, since it
relates to the RenderLayer z-order/overflow structure, rather than the render tree
parent chain. Add a convenience method, ancestorCompositingLayer(), which finds
the enclosing layer excluding self.

Shrink the size of all RenderObjects (except for RenderInlines) by 4 bytes. This patch moves the cached vertical position member to RenderInlines,
since they were the only objects being queried across multiple lines.

html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::HTMLMediaElement): Initialize m_loadRestrictions.
(WebCore::HTMLMediaElement::attributeChanged): Only one attribute can change so put an "else" between tests.
(WebCore::HTMLMediaElement::load): Return INVALID_STATE_ERR if RequireUserGestureLoadRestriction is set
and we are not preocessing a user gesture.
(WebCore::HTMLMediaElement::mediaPlayerNetworkStateChanged): Remove unnecessary white space.
(WebCore::HTMLMediaElement::play): Ditto.
(WebCore::HTMLMediaElement::endScrubbing): Remove unnecessary braces added in r40789.
(WebCore::HTMLMediaElement::mediaPlayerTimeChanged): Cache currentTime() in a local instead of calling it
multiple times.
(WebCore::HTMLMediaElement::processingUserGesture): New.

DumpRenderTree/DumpRenderTree.sln: Changed to use the new
Debug_Internal configuration of ImageDiff in the Debug_Internal
configuration of this solution.

DumpRenderTree/cg/PixelDumpSupportCG.cpp:
(printPNG): Changed to call fwrite in a loop, since this call was
failing due to the buffer being too large on Windows.
(dumpWebViewAsPixelsAndCompareWithExpected): Removed an unnecessary
#if PLATFORM(MAC)/#endif.

DumpRenderTree/win/ImageDiff.vcproj: Added a Debug_Internal
configuration that matches the Debug configuration but also references
debug_internal.vsprops.

DumpRenderTree/win/PixelDumpSupportWin.cpp:
(createBitmapContextFromWebView): Renamed from
getBitmapContextFromWebView to match the name used in the
cross-platform code.

page/FrameView.cpp: (WebCore::FrameView::paintContents): Apparently due to a typo
(document vs. !document), fillWithRed was always set to false, and other branches were
never taken. Removing the check for document restores debug-only red color filling.

loader/FrameLoader.cpp: (WebCore::FrameLoader::begin): Only call dispatchWindowObjectAvailable()
after a document is created. A client can do anything in its delegate method, so we'd need
to have frame->document() checks otherwise. DumpRenderTree uses this delegate to add its
custom property, and it was crashing due to null document in JSDOMWindowBase::getOwnPropertySlot().

DumpRenderTree was previously not holding a ref to the WebViews it
created via window.open. It was getting away with this because
WebViews get reffed by being preference notification observers and by
registering for drag-n-drop messages. Now DRT does hold a ref, in case
this situation changes in the future.

Reviewed by Alexey Proskuryakov.

DumpRenderTree/win/DumpRenderTree.cpp:
(dumpBackForwardListForAllWindows): Added a .get().
(windowToWebViewMap): Changed to use the WindowToWebViewMap typedef.

DumpRenderTree/win/DumpRenderTreeWin.h: Changed the
windowToWebViewMap() to hold a ref to the WebViews it contains.

DumpRenderTree would call DestroyWindow on a WebView's host window,
which would send a WM_DESTROY message to the WebView's window. Inside
the WebView's WndProc, we would hold a ref to the WebView, then call
close() and revokeDragDrop(), which would release all remaining
references to the WebView other than the ref we held in the WndProc.
When the WndProc exited, the final ref to the WebView would be
released, invoking WebView's destructor. At this point,
IsWindow(m_viewWindow) would return true, since we were still in the
process of handling WM_DESTROY, so we would call DestroyWindow on the
WebView's window again, re-entering the WndProc and re-reffing the
WebView, leading to recursive destruction.

Reviewed by Alexey Proskuryakov.

WebView.cpp:
(WebView::~WebView): Don't call DestroyWindow if our window is already
being destroyed.
(WebViewWndProc): Only hold an extra ref to the WebView when we're not
being destroyed.

Provide a class type for a generated block of JIT code.
Also changes the return address -> bytecode index map to
track the return addess as an unsigned offset into the code
instead of a ptrdiff_t in terms of voids - the latter is
equal to the actual offset / sizeof(void*), making it a
potentially lossy representation.

platform/graphics/win/SimpleFontDataWin.cpp:
(WebCore::SimpleFontData::widthForGDIGlyph): Make sure that the DC is
in the advanced graphics mode before calling GetCharWidthI(), because
otherwise that function returns incorrect results for the default UI
font at a certain size.

(-[WebHTMLView _removeMouseMovedObserverUnconditionally]): Nil-check _private as it may have not
yet been initialized if this WebHTMLView was loaded from a nib.
(-[WebHTMLView _removeSuperviewObservers]): Ditto.

(WebCore::HTMLSelectElement::menuListDefaultEventHandler): Don't store the renderer in a local variable
as it can be invalidated by any of the calls to focus() within the function. Instead, retrieve it and
null-check it when it is needed.

Remove the m_height member from InlineBox. This shaves 4 bytes off of all inline boxes. Unfortunately SVG
sets heights that are independent of the renderer or of the font, and so all SVG boxes have to retain m_height
member variables.

height() on InlineBox is now a virtual function that does a dynamic computation (including shrinking boxes
with no text children). For SVG boxes there is also a non-virtual setHeight function for updating the
m_height member variable like before.

When WREC was ported to x86-64 it stuck with the same register allocation as x86.
This requires registers to be reordered on entry into WREC generated code, since
argument passing is different on x86-64 and x86 (regparm(3)). This patch switches
x86-64 to use a native register allocation, that does not require argument registers
to be reordered.

rendering/MediaControlElements.cpp:
(WebCore::MediaControlPlayButtonElement::defaultEventHandler): Use new media element
togglePlayState method.
(WebCore::MediaControlTimelineElement::defaultEventHandler): Tell media element when scrubbing
begins and ends so it can deal with pausing logic. Don't call setCurrentTime unless the time
will change.

rendering/RenderMedia.cpp:
(WebCore::RenderMedia::updateControls): Ask media element if it is able to play instead of including
internal logic here.
(WebCore::RenderMedia::updateControlVisibility): Ditto.

​https://bugs.webkit.org/show_bug.cgi?id=23850
Code cleanup of HTMLParser class which was using a mix of m_* and bare
class member variable names which helps to obfuscate the code. Also
changed a few of the static helper functions to take a const pointer type
as they should not be modifying the node.